Back to catalog

Log4Shell: log4j Remote Code Execution vulnerability

No violationsstackroxcriticalbuilddeploy

Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.

Rationale
These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
Remediation
Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CategoriesVulnerability Management
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.4(c)
ISO/IEC 27001 2022
A.8.8
NIST SP 800-53 rev. 5
RA-5
PCI DSS 4.0
6.3.1
SOC 2 2017 TSC
CC7.1

Generated artifacts

1 of 5 targets supported
log4shell-log4j-remote-code-execution-vulnerability.rego
# Log4Shell: log4j Remote Code Execution vulnerability (trivy)
# severity: critical
# source: stackrox/cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4
package trivy.log4shell_log4j_remote_code_execution_vulnerability

deny[msg] {
  # rule 1
  some v
  v := input.Vulnerabilities[_]
  v.VulnerabilityID == {"CVE-2021-44228", "CVE-2021-45046"}[_]
  msg := "[critical] Log4Shell: log4j Remote Code Execution vulnerability: Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2."
}
IR (canonical)
{
  "id": "cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4",
  "name": "Log4Shell: log4j Remote Code Execution vulnerability",
  "description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
  "rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
  "remediation": "Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class",
  "severity": "critical",
  "categories": [
    "Vulnerability Management"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "cve",
    "values": [
      "CVE-2021-44228",
      "CVE-2021-45046"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4",
  "name": "Log4Shell: log4j Remote Code Execution vulnerability",
  "description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
  "rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
  "remediation": "Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class",
  "disabled": false,
  "categories": [
    "Vulnerability Management"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "CRITICAL_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "CVE",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "CVE-2021-44228"
            },
            {
              "value": "CVE-2021-45046"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}